fix: bad token error of notify_triagers workflow

[sambhavgupta0705]

#3460

Summary by CodeRabbit

• New Features

  • Enhanced GitHub Actions workflow for notifying triagers on pull requests.
  • Improved commit message processing and refined counting of changed files.
  • Added logic to differentiate between Markdown and non-Markdown file changes for reviewer assignment.

• Bug Fixes

  • Ensured accurate checkout of specific commits associated with pull requests.

[coderabbitai]

Walkthrough

The pull request modifies the .github/workflows/notify-triager.yml GitHub Actions workflow to improve pull request handling. The changes focus on enhancing commit message extraction, repository checkout, and file change detection. The workflow now more accurately checks out specific pull request commits, processes commit messages more effectively, and differentiates between Markdown and non-Markdown file changes. The core functionality of notifying triagers and adding reviewers remains consistent with previous implementations.

Changes

File	Change Summary
.github/workflows/notify-triager.yml	- Added repository and ref parameters to checkout step - Updated commit message extraction script - Refined file change counting logic - Preserved CODEOWNERS maintainer extraction

Possibly related PRs

• fix: fixed the notify triager workflow #3460: Similar modifications to the .github/workflows/notify-triager.yml file, focusing on triager notification workflow enhancements

Suggested labels

ready-to-merge, bounty

Suggested reviewers

• derberg
• magicmatatjahu
• VaishnaviNandakumar
• J0SAL
• akshatnema
• BhaswatiRoy
• asyncapi-bot-eve
• Mayaleeeee
• TRohit20
• anshgoyalevil

Poem

🐰 Workflow magic, a rabbit's delight,
Commits checked out with precision so bright
Markdown, code files, now counted with care
Triagers notified with workflows so fair
GitHub Actions dancing, pull requests take flight! 🚀

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[netlify]

✅ Deploy Preview for asyncapi-website ready!

Built without sensitive environment variables

Name	Link
🔨 Latest commit	1f76eb2
🔍 Latest deploy log	https://app.netlify.com/sites/asyncapi-website/deploys/675febca03db35000831aa5b
😎 Deploy Preview	https://deploy-preview-3477--asyncapi-website.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[coderabbitai]

Actionable comments posted: 0

🔭 Outside diff range comments (2)

.github/workflows/notify-triager.yml (2)

Line range hint 59-77: Add validation for triager extraction

The current implementation assumes a specific CODEOWNERS format without validation.

Add validation to prevent workflow failures:

 docTriagers=$(grep '^#' CODEOWNERS | tail -n 2 | head -n 1)
+if [ -z "$docTriagers" ]; then
+  echo "Error: No doc triagers found in CODEOWNERS"
+  exit 1
+fi
 echo "docTriagers: $docTriagers"
 prefix="#docTriagers: "
 docTriagers=${docTriagers#$prefix}
+if [ "$docTriagers" = "#docTriagers: " ]; then
+  echo "Error: Invalid doc triagers format in CODEOWNERS"
+  exit 1
+fi
 echo "docTriagers=$docTriagers" >> $GITHUB_ENV

---

Line range hint 79-108: Add error handling for GitHub API calls

The current implementation doesn't handle API failures gracefully.

Add error handling and response validation:

 curl \
+  --fail \
+  --retry 3 \
   -X POST \
   -H "Authorization: token ${{ secrets.GH_TOKEN }}" \
   -H "Accept: application/vnd.github.v3+json" \
   https://api.github.com/repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/requested_reviewers \
   -d "{
     \"reviewers\": $reviewers
-  }"
+  }" || {
+    echo "Failed to add reviewers. Status: $?"
+    exit 1
+  }

This change will:

1. Add automatic retry for transient failures
2. Fail explicitly on HTTP errors
3. Provide better error reporting

🧹 Nitpick comments (2)

.github/workflows/notify-triager.yml (2)

Line range hint 21-24: Consider using a more robust commit message sanitization

The current approach with multiple sed commands works but could be simplified and made more robust.

Consider this alternative:

- commit_message=$(echo "$commit_message" | tr '\n' ' ')
- commit_message=$(echo "$commit_message" | sed 's/[<>|]//g' | sed 's/[][]//g' | sed 's/(//g' | sed 's/)//g' | xargs)
+ # Combine all transformations into a single sed command and preserve message length
+ commit_message=$(echo "$commit_message" | tr '\n' ' ' | sed 's/[<>|()[\]]//g' | awk '{$1=$1};1')

---

Line range hint 45-57: Enhance file change detection reliability

The current implementation correctly handles basic cases, but consider these improvements:

- changed_files=$(git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.event.pull_request.head.sha }})
+ # Use --diff-filter to exclude deleted files and ensure we only count actual changes
+ changed_files=$(git diff --name-only --diff-filter=d ${{ github.event.pull_request.base.sha }} ${{ github.event.pull_request.head.sha }})

- md_count=$(echo "$changed_files" | grep -c '\.md$' || true)
- non_md_count=$(echo "$changed_files" | grep -vc '\.md$' || true)
+ # More precise file type detection
+ md_count=$(echo "$changed_files" | grep -i '\.md$' -c || true)
+ non_md_count=$(echo "$changed_files" | grep -iv '\.md$' -c || true)

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 00cb653 and 1f76eb2.

📒 Files selected for processing (1)

• .github/workflows/notify-triager.yml (1 hunks)

🔇 Additional comments (2)

.github/workflows/notify-triager.yml (2)

15-16: Verify the security implications of checking out external PR code

While the changes correctly use pull_request_target, be cautious when checking out external PR code. The current setup is secure because:

1. It's using pull_request_target event
2. The checkout happens after the event trigger, maintaining the security context

However, ensure that no untrusted code from the PR is executed in subsequent steps.

---

Line range hint 1-108: Verify workflow security and permissions

Since this workflow uses pull_request_target and handles external PRs, verify:

1. No sensitive tokens are exposed to PR code
2. The workflow doesn't trigger other workflows with elevated permissions
3. The GH_TOKEN has minimum required permissions

✅ Verification successful

Workflow security verification completed - No critical issues found

The security analysis of the notify-triager workflow shows:

1. No other workflows are triggered by this one (no workflow_run events found)
2. The only secret used is GH_TOKEN which is appropriate for the PR review assignment task
3. The workflow follows security best practices:
   • Uses actions/checkout with explicit ref and repository parameters
   • Only performs read operations on PR content
   • Token usage is limited to GitHub API calls for reviewer assignment
   • No code from the PR is executed, only git commands for metadata extraction

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check for other workflows that might be triggered by this one
find .github/workflows -type f -name "*.yml" -exec grep -l "workflow_run" {} \;

# Check for sensitive token usage
grep -r "secrets" .github/workflows/

Length of output: 8130

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 86.59%. Comparing base (00cb653) to head (1f76eb2).
Report is 3 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #3477   +/-   ##
=======================================
  Coverage   86.59%   86.59%           
=======================================
  Files          21       21           
  Lines         664      664           
=======================================
  Hits          575      575           
  Misses         89       89           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[asyncapi-bot]

⚡️ Lighthouse report for the changes in this PR:

Category	Score
🔴 Performance	35
🟢 Accessibility	98
🟢 Best practices	92
🟢 SEO	100
🔴 PWA	33

Lighthouse ran on https://deploy-preview-3477--asyncapi-website.netlify.app/

[anshgoyalevil]

/rtm

[aeworxet]

@asyncapi/bounty_team